NIST Announces Third Round Candidates for Post-Quantum Digital Signatures

Quick Summary

Globally, companies are still preparing for a quantum revolution, and the National Institute of Standards and Technology (NIST) has made significant progress on its Post-Quantum Cryptography (PQC) Standardization Program.

On May 21, 2026, NIST named the 9 digital signature algorithms that are moving onto the next round of candidates for their Additional Digital Signature Candidates PQC Standards Process – these will be the next group of candidates being evaluated as possible post-quantum digital signatures to be used to protect critical systems against future attacks using quantum computing as an attack method.

Here are the Candidate Algorithms:

• FAEST
• HAWK
• MAYO
• MQOM
• QR-UOV
• SDitH
• SNOVA
• SQIsign
• UOV

The most recent announcement from NIST (National Institute of Standards and Technology) is the completion of their 18-month evaluation of all candidate post-quantum digital signature schemes and the commencement of a new phase that will evaluate some additional digital signature schemes that will help protect our critical systems against potential quantum attacks in the future.

The Evolution of NIST’s PQC Standardization Journey

Due to growing concern over large-scale quantum computing’s ability to break common public-key cryptography, NIST began creating the initial set of post-quantum standard documents.

This included a PQC competition, which aimed to identify post-quantum-safe digital signature and key agreement algorithms suitable for government, commercial and critical infrastructure applications.  

As part of the certification process for these post-quantum candidates, NIST has conducted several peer-reviewed evaluations, each consisting of a series of rounds, and publicly reviewed submitted algorithms (via cryptanalysis). 

The First Round of Standards Included: 

• CRYSTALS-Kyber (now standardized as ML-KEM) for key establishment 

• CRYSTALS-Dilithium (now standardized as ML-DSA) for digital signatures 

• Falcon for Digital Signatures.

• SPHINCS+ (now standardized as SLH-DSA) for digital signatures 

The NIST agency issued the first set of PQC standards in August of 2024. PQC standards are used as the foundation for organizations to begin their transition to quantum-resilient cryptography. Therefore, PQC provides organizations with the first legally recognized algorithms of PQC to use for their transition to quantum-resilient cryptography. 

The need for long-term security includes having many different types of cryptographic methods (i.e., diversity); therefore, systems that belong to the same mathematical family are likely to share the same vulnerabilities.  

To support long-term security of all cryptographic systems, NIST initiated an Independent Digital Signatures (IDS) program in 2022 to develop additional digital signature schemes that shared a different mathematical base than those currently in use and also produced differing performance and deployment characteristics than those currently in use.

Why Additional Signature Algorithms Matter

The original version of standardized algorithms for post-quantum cryptography offers strong initial building blocks to a sound quantum-safe security model.

Many of these protocols share some of the same underlying mathematical models, and therefore can share vulnerabilities due to the common [or similar] mathematical assumptions of those models — primarily to their reliance on lattice-based cryptography.

As a part of the Additional Signatures project, NIST is working to mitigate some of the systemic risk that occurs whenever there is a cryptanalytic breakthrough.

When you have a crypto analysis breakthrough that can be used to compromise an entire class of algorithms that share a particular underlying mathematical structure, then you will have a set of alternative algorithms based on different mathematical structures that will be able to function as inter-technical replacements for the class that has been attacked.

NIST is also interested in finding algorithms that would provide specific advantages over other algorithms when implementing them in diverse deployment scenarios, and, therefore, can be expected to provide value in those instances.

These use cases may include, but will not be limited to:

• Smaller signature sizes
• Smaller public-key sizes
• Faster verification times
• Better performance on constrained devices
• Easier implementation and deployment

These reasons for diversification become increasingly important as governments, enterprises, cloud service providers, and certificate authorities begin to transition to a large-scale PQC solution.

Recommended: AWS KMS Embraces the Quantum Era with ML-DSA Digital Signature Support

From 50 Submissions to 9 Finalists

The additional digital signature process began with a call for proposals in 2022.

The competition progressed through several stages:

• 50 submissions received
• 40 candidates accepted into the first round
• 14 candidates advanced to the second round
• 9 candidates selected for the third round

Throughout the evaluation process, NIST researchers and the broader cryptographic community conducted extensive security reviews, implementation studies, performance testing, and cryptanalysis.

The remaining candidates represent a diverse collection of cryptographic families:

Algorithm	Cryptographic Family
FAEST	Symmetric-key / VOLE-in-the-Head
HAWK	Lattice-based
MAYO	Multivariate
MQOM	Multivariate / MPC-in-the-Head
QR-UOV	Multivariate
SDitH	Code-based / MPC-in-the-Head
SNOVA	Multivariate
SQIsign	Isogeny-based
UOV	Multivariate

The selection demonstrates NIST’s commitment to preserving cryptographic diversity rather than concentrating exclusively on one mathematical approach.

NIST’s Evaluation Criteria

NIST evaluated the second-round candidates using three primary categories:

Security

Security remains the agency’s highest priority. Candidate algorithms were assessed for:

• Resistance to classical attacks
• Resistance to quantum attacks
• Strong unforgeability guarantees
• Multi-key attack resistance
• Side-channel resilience
• Fault-injection resistance

Because these algorithms could eventually protect digital certificates, software updates, government communications, financial systems, and critical infrastructure, long-term security confidence remains paramount.

Performance and Cost

NIST also examined:

• Signature generation speed
• Verification speed
• Computational efficiency
• Memory requirements
• Hardware acceleration potential

Performance characteristics are especially important for resource-constrained environments such as IoT devices, embedded systems, smart cards, and edge computing platforms.

Implementation Characteristics

The agency evaluated:

• Ease of implementation
• Deployment complexity
• Side-channel mitigation requirements
• Intellectual property considerations
• Long-term maintainability

Notably, NIST reported that no side-channel findings during the second round were severe enough to eliminate any candidate.

Recommended: Google Cloud KMS Introduces Quantum-Safe Digital Signatures Align with NIST’s PQC Standards

Standout Candidates

SQIsign

SQIsign emerged as one of the most distinctive candidates due to its exceptionally small public-key and signature sizes.

These characteristics make it particularly attractive for:

• Digital certificates
• Firmware updates
• Embedded systems
• Constrained devices

According to NIST’s findings, refinements made to the architecture of SQIsign have resulted in significant improvements to the functionality of this signing algorithm, allowing for the signing of SQIsign’s output approximately 20x faster than before these refinements were applied.

Furthermore, NIST concluded that the refinements made to SQIsign did not compromise the previous security provided against attacks that had previously exploited SIKE cryptography.

As a result, although SQISign has experienced implementation complexity and side-channel resistance issues, very compact signature size and a mature design aided in its progression to Stage 3 of the competition.

HAWK

HAWK is a lattice-based alternative that does not have an inherent need for floating point arithmetic to achieve the same level of security and functionality as Falcon, due to being completely integer-based; this means:

• Simpler implementation
• Greater portability
• Improved suitability for constrained environments

Because the signature size of HAWK is very small and the speed of signing is efficient, the NIST recommended that HAWK continue to be evaluated for security-based issues with respect to the original security assumptions.

FAEST

FAEST is a conservative design philosophy that uses existing symmetric cryptographic techniques (including AES) and has achieved significantly greater performance, not to mention it produces increased quantum security proofs, than the previous version.

While researchers have identified potential vulnerabilities associated with some types of implementations (e.g., fault attacks and side-channel attacks), the National Institute of Standards and Technology has concluded that such vulnerabilities can be managed, and therefore allowed FAEST to progress to the third round of research and testing.

MQOM and SDitH

Among the other MPC candidates and those already classified as MPC candidates that were reviewed, MQOM and SDitH stood out as very good submissions. MQOM produced a performance level that matched that of existing methods (for example, RSA) for an equivalent level of security and produced signatures with smaller key sizes/signatures.

SDitH has the advantage of a long history of research into syndrome decoding and has historically employed conservative security assumptions in its theories of security. Therefore, both MQOM and SDitH will be viewed by NIST as good candidates for providing a larger cryptographic diversity than the traditional and non-traditional methods of cryptography to date.

The Multivariate Cryptography Story

Perhaps the most interesting aspect of the third-round selections is the continued presence of four multivariate candidates:

• UOV
• MAYO
• QR-UOV
• SNOVA

Researchers found several ways of ‘attacking’ UOV, MAYO, and SNOVA in the second round of development of these algorithms, specifically in regard to their multiple parameters.

Ultimately, NIST has determined that the attacks affected only some of the possible parameters for each of the algorithms, and therefore did not significantly undermine UOV, MAYO, and SNOVA.

NIST has reaffirmed that secure settings exist for each of the four algorithms and also for all proposed parameters for these algorithms, including QR-UOV.

UOV

UOV continues to be attractive due to its small signature sizes and quick verification times. NIST continues to view UOV as a very valid contributor to algorithmic diversity, even though it suffers from some large publication sizes.

MAYO

MAYO will provide a smaller public key than UOV while keeping the same signature size and verification time as UOV. NIST determined that some parameter settings of MAYO were negatively impacted by wedge attacks; however, the overall system architecture was not at fault for the loss from these wedge attacks.

QR-UOV

The QR-UOV algorithm has avoided the problems associated with wedge attacks on other multivariate schemes. This algorithm has achieved a significant reduction in the amount of public key data by using quotient ring techniques and by utilizing odd characteristic fields.

The result is that QR-UOV provides excellent security margins along with significant performance increases (compared to other schemes).

SNOVA

SNOVA continues to be a candidate for the NIST post-quantum cryptographic standard even after being attacked cryptographically/during the competition.

Its most recent parameter sets indicate that SNOVA has very competitive efficiencies compared to other schemes and has created smaller public key sizes and signatures than Falcon in several instances.

Although NIST stated that they view the scheme as immature compared to some other competing schemes, they kept SNOVA as a candidate due to its potential for long-term usage.

Candidates Eliminated in Round Two

Several notable candidates were eliminated after the second round.

CROSS

After completing an additional security evaluation and refining their parameters, NIST concluded that the performance profile was still too similar to that of SPHINCS+ and did not offer enough of an advantage over SPHINCS+, as well as having very large signatures (relative to other submitted candidates).

LESS

By optimising, LESS has achieved significantly lower signature sizes. However, this candidate had very large public keys and did not deliver acceptable performance relative to other candidates; therefore, NIST eliminated LESS due to concerns about the widespread use of attack methods against this candidate’s security margins.

Mirath, PERK, and RYDE

Despite significant improvements shown by all 3 solutions in round 2 of this process, NIST found that their better combinations of security, maturity, & performance from competing systems meant those 3 will no longer advance in this process.

What Happens Next?

NIST anticipates a duration of roughly 2 years before this 3rd phase of evaluations ends. Companies that submitted entries can make limited changes to address identified weaknesses or inconsistencies and/or to resolve implementation issues, until revised packages must be submitted by August 14, 2026.

While NIST expects revisions only in minor ways, submission redesigns may suggest a less than ready state regarding new patterns of standardization; however, where the technology submitted is completely new, other than limitations outlined in the evaluation guidelines, NIST may accept prior designs that have not been submitted from this process due to late entry into the competition.

Throughout this time, NIST urges the global cryptography community to continue its review of the systems still being evaluated via these methods by:

• Cryptanalysis
• Optimized software implementations
• Hardware acceleration studies
• Constrained-device testing
• Side-channel assessments
• Performance benchmarking

NIST also plans to host the 7th NIST PQC Standardization Conference in 2027, likely in or near Gaithersburg, Maryland.

Broader Post-Quantum Transition

The announcement arrives amid growing efforts to prepare for the eventual arrival of practical quantum computing.

Recent Initiatives include:

• Publication of NIST’s first PQC standards
• Release of NIST’s draft PQC transition strategy
• Federal guidance encouraging cryptographic inventory assessments
• CISA’s publication of hardware and software categories supporting PQC standards

Cybersecurity professionals are warning against threats involving the “going in the barn,” where an opponent will harvest data through encrypted methods today, with the intention of decrypting that data with new quantum computers at a later date.

Therefore, organizations are being asked to begin planning for PQC migration sooner rather than take their chances and wait until quantum computers are operational.

Also Read: What Is Trust Now, Forge Later (TNFL)? TNFL vs HNDL Attacks Explained

Conclusion

Post-Quantum Cryptography (PQC) is changing from just being an academic project to being one of the Significant building Blocks of future Cyber Security Strategy.

The emergence of quantum computing requires that organizations prepare for a major shift in their cryptographic infrastructure to assure the protection of all sensitive data (e.g., user identities), communication, and vital infrastructure against new threats.

Search